GOOGLE Associate Cloud Engineer Exam Questions 2025

The gcloud compute ssh command is a wrapper around the standard ssh command that automates the entire connection process. When executed, it checks for the existence of SSH keys. If no keys are found, it automatically generates a new key pair (~/.ssh/googlecomputeengine), adds the public key to the project or instance metadata, and then initiates the SSH connection to the specified instance. This single command handles authentication, key generation, key distribution, and connection, making it the most efficient method with the fewest steps, as required by the question.

A. This method will fail. The standard ssh command requires a pre-existing private key on the local machine and a corresponding public key on the target instance, which the scenario states is not deployed.

C. This is an unnecessary step. While it would work, the gcloud compute ssh command will automatically generate the key pair for you if one doesn't exist, making the manual ssh-keygen step redundant.

D. This is the most complex and manual process. It involves multiple commands and manual key management, which is the exact opposite of the "easiest way" and "fewest steps" requirement.

1. Google Cloud Documentation

gcloud compute ssh: "If you do not have a public SSH key

gcloud compute ssh generates one for you. When you generate a new key

gcloud compute ssh adds the key to your project or instance metadata and connects you to the VM." This confirms that the command handles key generation automatically.

Source: Google Cloud SDK Documentation

gcloud compute ssh

Command Description section.

2. Google Cloud Documentation

Connect to Linux VMs: "The gcloud command-line tool provides the simplest way to connect to your instances... When you connect to a Linux instance by using the gcloud command-line tool

Compute Engine creates an ephemeral SSH key for you and sets a username."

Source: Google Cloud Documentation > Compute Engine > User guides > Connect to Linux VMs > Connect using Google Cloud tools.

3. Google Cloud Documentation

Managing SSH keys in metadata: "When you use gcloud compute ssh to connect to an instance

gcloud can automatically create and add an SSH key to the project for you."

Source: Google Cloud Documentation > Compute Engine > User guides > Access control > Managing SSH keys in metadata > How SSH keys work on Compute Engine instances.

The Storage Admin (roles/storage.admin) role provides full control over Cloud Storage resources. This includes all necessary permissions to manage both buckets (e.g., create, delete, list, set IAM policies) and the objects (files) within them. Using this predefined role adheres to the Google-recommended practice of applying the principle of least privilege. It grants the required permissions scoped specifically to the Cloud Storage service, unlike the overly broad Project Editor basic role. This role is the most suitable for colleagues who need comprehensive control over buckets and files without granting them permissions for other services in the project.

A. Project Editor: This is a basic role that grants broad permissions across most Google Cloud services, violating the principle of least privilege.

C. Storage Object Admin: This role grants permissions to manage objects (files) but lacks the necessary permissions to create, delete, or configure buckets.

D. Storage Object Creator: This role is highly restrictive, only allowing users to create objects. It does not permit managing objects or buckets.

1. Google Cloud Documentation

"Cloud Storage IAM roles": The table in this document explicitly states that the roles/storage.admin role provides "Full control of Cloud Storage resources

" which encompasses both buckets and objects. In contrast

roles/storage.objectAdmin is described as having "Full control of Cloud Storage objects

" which does not include bucket management.

Source: Google Cloud

Cloud Storage Documentation

"IAM roles for Cloud Storage".

2. Google Cloud Documentation

"Understanding roles": This guide explains the different types of roles. It recommends using predefined roles over basic roles (like Editor) to grant only the necessary permissions. "Whenever possible

we recommend that you grant predefined roles instead of basic roles. Predefined roles provide finer-grained access control and help you follow the principle of least privilege."

Source: Google Cloud

IAM Documentation

"Understanding roles"

Section: "Role types".

3. Google Cloud Documentation

"Using IAM permissions": This document reinforces the best practice of using the most limited predefined role that meets requirements. "Follow the principle of least privilege... When choosing a predefined role

pick one that contains the minimum set of permissions that your user needs."

Source: Google Cloud

IAM Documentation

"Granting

changing

and revoking access to resources"

Section: "Best practices".

The most secure, scalable, and manageable method to grant SSH access to a specific group of users for a single instance is by using OS Login. OS Login links a user's Google identity with their VM's POSIX account and manages access through IAM roles.

By setting the instance metadata enable-oslogin=true, you activate this feature for that specific instance. Granting the roles/compute.osLogin IAM role to the dev1 group provides the necessary permissions for its members to establish an SSH connection to any instance with OS Login enabled, without granting them broader administrative privileges. This combination precisely meets the requirement of providing scoped access to the specified group.

B. This option is incomplete. While it correctly enables OS Login, it fails to grant the necessary IAM role (compute.osLogin) to the dev1 group, so the users would have no permission to connect.

C. This method is insecure and unscalable. It requires manually generating, distributing, and managing individual SSH keys for each user, which is prone to error and becomes a significant administrative burden as the group changes.

D. Sharing a single private SSH key among multiple users is a severe security anti-pattern. It eliminates individual accountability and makes key revocation and rotation extremely difficult if the key is compromised.

1. Google Cloud Documentation - About OS Login: "OS Login lets you use Compute Engine IAM roles to grant and revoke SSH access to your Linux instances... OS Login is the recommended way to manage many users across multiple instances or projects." This document also specifies that you enable OS Login by setting the enable-oslogin metadata value to TRUE.

Source: Google Cloud Documentation

"About OS Login".

2. Google Cloud Documentation - Set up OS Login: "After you enable OS Login on one or more instances in your project

you need to grant the necessary IAM roles to users." It lists roles/compute.osLogin as the role required to connect to instances.

Source: Google Cloud Documentation

"Set up OS Login"

Step 2: Grant necessary IAM roles.

3. Google Cloud Documentation - Compute Engine predefined IAM roles: The compute.osLogin role is described as providing "permissions to log in to Compute Engine instances using OS Login. This role does not grant administrator access." This confirms it as the appropriate least-privilege role.

Source: Google Cloud Documentation

"Compute Engine IAM roles"

Predefined roles table.

4. Google Cloud Documentation - Managing SSH keys in metadata: This document describes the manual method of managing keys and contrasts it with OS Login. It explains that blocking project-wide keys is a way to restrict access

but it still relies on manually adding instance-level keys

which is less manageable than OS Login.

Source: Google Cloud Documentation

"Managing SSH keys in metadata"

section "Instance-level public SSH keys".

The standard and correct workflow for deploying a containerized application to Google Kubernetes Engine (GKE) begins with the Dockerfile. First, a container image must be built from the Dockerfile using a tool like Docker. This image must then be stored in a container registry that the GKE cluster can access; Google Container Registry (GCR) or Artifact Registry are the standard, integrated choices on Google Cloud. Next, a Kubernetes Deployment manifest (a YAML file) is created. This file declaratively defines the desired state, specifying the container image location (from the registry), the number of replicas, and other configurations. Finally, the kubectl command-line tool is used to apply this manifest to the GKE cluster, which then pulls the image and creates the Pods.

A. kubectl app deploy . is not a valid or standard kubectl command for deploying applications. The correct command to apply a configuration file is kubectl apply -f .

B. gcloud app deploy . is the command used to deploy applications to Google App Engine, which is a different service (Platform-as-a-Service) from Google Kubernetes Engine.

D. Google Cloud Storage is an object storage service, not a container registry. GKE nodes cannot pull container images directly from a Cloud Storage bucket; they require a registry that implements the Docker Registry API.

1. Google Cloud Documentation

"Deploying a containerized web application": This official tutorial outlines the exact steps described in the correct answer. It details building a container image

pushing it to Artifact Registry (Google's recommended container registry)

and then deploying it to a GKE cluster using a manifest file (deployment.yaml) and kubectl apply. (See steps 3

4

and 6 in the guide).

2. Google Cloud Documentation

"Container Registry overview": "Container Registry is a private container image registry that runs on Google Cloud... You can access Container Registry through HTTPS endpoints

from gcloud

or from Docker." This confirms that a registry

not object storage

is the correct location for images.

3. Google Cloud SDK Documentation

gcloud app deploy: The official documentation for this command states

"This command is used to deploy the source code and configuration of your application to the App Engine server." This explicitly links the command to App Engine

not GKE.

4. Kubernetes Documentation

"Deployments": "A Deployment provides declarative updates for Pods... You describe a desired state in a Deployment

and the Deployment Controller changes the actual state to the desired state at a controlled rate." This supports the use of a declarative YAML file as the standard practice.

A signed URL provides a secure, time-limited method for granting read or write access to a specific Cloud Storage object. It uses a cryptographic signature embedded in the URL, which authenticates the request without requiring the user to have a Google account. By setting a four-hour expiration, access is automatically revoked after the specified period. This approach directly addresses all requirements: it's secure for sensitive data, time-limited, works for users without Google accounts, and is the most direct method, requiring only a single step to generate the URL.

B. Making an object public is highly insecure for sensitive data, as anyone on the internet could potentially access it during the four-hour window.

C. Configuring a bucket as a static website also makes objects publicly accessible, which is not secure for sensitive content. This method is also more complex than generating a signed URL.

D. This method is inefficient, requiring multiple steps (create bucket, copy object, delete bucket). It also fails to specify the access mechanism, which would still need to be either public (insecure) or a signed URL (making option A superior).

1. Google Cloud Documentation - Signed URLs: "A signed URL is a URL that provides limited permission and time to make a request... Anyone who knows the signed URL can access the resource until the URL expires

regardless of whether they have a Google Cloud account." This document explicitly describes the use case of providing temporary access to users without Google accounts.

Source: Google Cloud Documentation

"Cloud Storage > How-to Guides > Using signed URLs".

2. Google Cloud Documentation - Overview of Access Control: This document outlines various access control methods. It implicitly discourages using public access for sensitive data by describing its function: "The allUsers identifier is a special identifier that represents any user who is on the internet." This highlights the insecurity of options B and C.

Source: Google Cloud Documentation

"Cloud Storage > Key Concepts > Overview of access control".

3. Google Cloud Documentation - Object Lifecycle Management: "Object Lifecycle Management lets you apply rules to a bucket that automatically take an action on the objects in the bucket when they meet the criteria you specify." The purpose is automated object state management (e.g.

deletion

changing storage class)

not for granting temporary

secure access to external users.

Source: Google Cloud Documentation

"Cloud Storage > How-to Guides > Using Object Lifecycle Management".

The Pending status for a Pod indicates that the Kubernetes scheduler has accepted the Pod but cannot yet place it onto a node. The most common reason for this is insufficient cluster resources (CPU or memory). In this scenario, the first replica of the Deployment was successfully scheduled and is Running, consuming resources on a node. The second replica, with identical resource requests, cannot be scheduled because the remaining available resources in the cluster are not sufficient to meet its needs. The Pod will remain Pending until resources are freed up or a new node is added to the cluster, for example, by the cluster autoscaler.

A: This is incorrect because one replica is already Running. As both Pods have identical resource requests, if one can fit on a node, the other's request is not inherently too large.

C: Incorrect image pull permissions would cause an ImagePullBackOff or ErrImagePull status after the Pod is scheduled to a node, not prevent it from being scheduled (i.e., leave it Pending).

D: While a node preemption could lead to this state, the direct cause of the Pending status is the lack of schedulable resources, which is more accurately described by option B.

1. Kubernetes Documentation

Pod Lifecycle

Pod Phase: The Pending phase is defined as: "The Pod has been accepted by the Kubernetes cluster

but one or more of the containers has not been set up and made ready to run. This includes time a Pod spends waiting to be scheduled..." This confirms that scheduling issues are a primary cause of the Pending state. (Source: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#pod-phase)

2. Google Cloud Documentation

GKE

Cluster autoscaler: "Cluster autoscaler automatically resizes the number of nodes in a given node pool

based on the demands of your workloads. ... it adds nodes when there are Pods that failed to schedule in the node pool due to insufficient resources." This directly links the Pending state (failed to schedule) with resource insufficiency. (Source: https://cloud.google.com/kubernetes-engine/docs/concepts/cluster-autoscaler

"How cluster autoscaler works" section).

3. Kubernetes Documentation

Kubernetes Scheduler: The scheduler's role is to assign Pods to nodes. "If no node is suitable

the pod remains unscheduled until the scheduler is able to place it." The primary filtering step in finding a suitable node is checking if a node has enough available resources to meet the Pod's specific resource requests. (Source: https://kubernetes.io/docs/concepts/scheduling-eviction/kube-scheduler/

"The kube-scheduler" section).

This architecture represents a classic streaming data pipeline on Google Cloud, particularly for time-series or IoT data.

1. Ingest (Cloud Pub/Sub): Cloud Pub/Sub is a fully managed, real-time messaging service designed to ingest high-throughput event streams from many sources, such as IoT devices.

2. Process (Cloud Dataflow): Cloud Dataflow is a unified stream and batch data processing service. It is ideal for executing pipelines that transform, enrich, and aggregate incoming data in real-time.

3. Serve (Cloud Bigtable): Cloud Bigtable is a NoSQL, wide-column database optimized for high-throughput reads and writes with very low latency. This makes it the perfect choice for serving time-series data to real-time dashboards and applications.

4. Analyze (BigQuery): BigQuery is a serverless, highly scalable data warehouse built for business intelligence and ad-hoc analysis. It allows for complex SQL queries over massive datasets.

A: Cloud Datastore is a document database designed for transactional web and mobile application backends, not for the high-throughput analytical workloads typical of time-series data.

B: Firebase Messages is for sending notifications to client applications, not a general-purpose data ingestion service. Cloud Spanner is a relational database, which is less suited for this specific time-series use case than Bigtable.

C: Cloud Storage is an object storage service, not a data processing engine. This option also incorrectly swaps the roles of BigQuery (for analysis) and Bigtable (for low-latency serving).

1. Google Cloud Documentation

"IoT overview": This document presents a reference architecture for IoT data that explicitly shows the flow: Cloud Pub/Sub (for ingestion) -> Cloud Dataflow (for processing) -> Cloud Bigtable (for processing and serving) and BigQuery (for data analysis). See the "Reference architecture" diagram.

2. Google Cloud Documentation

"Cloud Bigtable - Overview": Under the section "What it's good for

" the documentation lists "Time series data" as a primary use case

stating

"Cloud Bigtable is a great choice for storing and querying large amounts of time-series data."

3. Google Cloud Documentation

"Dataflow - Common use cases": This page describes using Dataflow for "Streaming analytics" and "IoT

" often in conjunction with Pub/Sub for ingestion and BigQuery or Bigtable for storage and analysis.

4. Google Cloud Documentation

"What is BigQuery?": The official documentation defines BigQuery as a "fully managed enterprise data warehouse that helps you manage and analyze your data

" which directly corresponds to the "Ad-hoc analysis" function in the diagram.

This solution describes a standard, event-driven, and fully automated pattern for scaling Google Cloud resources that do not have a native autoscaling feature. A Cloud Monitoring (formerly Stackdriver) alerting policy can monitor the Cloud Spanner instance's CPU utilization. When the utilization crosses a predefined threshold (either high or low), the policy triggers a notification to a webhook. A Cloud Function is configured with an HTTP trigger to listen on this webhook's endpoint. Upon receiving the alert, the function executes code that uses the Cloud Spanner API to resize the instance by adding or removing nodes, thus achieving automatic scaling.

A. A cron job is a scheduled, time-based trigger. While it can automate scaling for predictable patterns, it is less responsive to real-time metric fluctuations compared to an event-driven alerting policy.

B. This option relies on manual intervention by an on-call SRE to scale the instance. This fails to meet the requirement for an automatic scaling solution.

C. Involving Google Cloud Support for routine operational tasks like scaling is not a standard or appropriate procedure. This process is manual and not the intended use of the support service.

1. Google Cloud Blog - Tutorial: Autoscaling Cloud Spanner: This official tutorial explicitly details the recommended architecture for autoscaling Cloud Spanner. It states

"In this architecture

Cloud Monitoring periodically checks the CPU utilization of your Spanner instance. When the CPU utilization crosses a threshold

Monitoring sends a notification to a webhook. The notification triggers a Cloud Function that adds or removes a node from your Spanner instance." This directly validates option D.

Source: Google Cloud Blog

"Autoscaling Cloud Spanner".

2. Cloud Monitoring Documentation - Notification options: The official documentation lists webhooks as a notification channel. It explains

"You can use webhooks to send a notification to other services... When you create a webhook notification channel

you provide a URL to which Monitoring sends a POST request when a notification is triggered." This confirms the trigger mechanism.

Source: Google Cloud Documentation

Cloud Monitoring

"Notification options"

Section: "Webhooks".

3. Cloud Spanner Documentation - Monitoring with Cloud Monitoring: The documentation highlights high-priority CPU utilization as a key metric for monitoring Spanner performance and determining when to scale. It recommends keeping CPU utilization below 65% for multi-region instances and 75% for regional instances to ensure optimal performance. This validates using CPU metrics as the basis for scaling decisions.

Source: Google Cloud Documentation

Cloud Spanner

"Monitoring with Cloud Monitoring"

Section: "Alerting".

4. Cloud Functions Documentation - HTTP Triggers: This documentation explains how to create functions that can be invoked via HTTP requests

which is precisely how a webhook integration works. "HTTP functions can be invoked from standard HTTP requests. These functions must send a response."

Source: Google Cloud Documentation

Cloud Functions

"Develop"

"HTTP Triggers".

Google Cloud Deployment Manager can be extended to manage resources from third-party APIs by adding them as "Type Providers". The Kubernetes API is a RESTful API with an OpenAPI specification, making it a perfect candidate for a Type Provider. By creating the GKE cluster first, you can extract its API endpoint and credentials within the same deployment. You then use these outputs to dynamically configure a new Type Provider for that specific cluster's API. Finally, you use this new type to declaratively create the DaemonSet, all within a single Deployment Manager execution without needing extra services like Compute Engine.

B: Runtime Configurator is a service for storing and managing dynamic configuration data. It does not have the capability to apply configurations or create resources within a GKE cluster.

C: This approach requires an additional Compute Engine instance solely to run a kubectl command. This is inefficient and violates the principle of using the fewest possible services.

D: The Google Kubernetes Engine resource definition in Deployment Manager does not have a feature to interpret metadata entries as Kubernetes manifests to be applied to the cluster.

1. Google Cloud Documentation - Adding a Type Provider: This document explains how to extend Deployment Manager to work with third-party APIs. It states

"You can expand the types of Google Cloud resources that Deployment Manager can create by adding API-specific type providers... A type provider exposes all of the resources of a third-party API to Deployment Manager as base types that you can use in your configurations." The Kubernetes API is such a third-party API in this context.

Source: Google Cloud Documentation

"Adding a Type Provider"

Section: "Before you begin".

2. Google Cloud Documentation - Calling a Third-Party API: This guide provides a conceptual overview and explicitly mentions that the API must have an OpenAPI (formerly Swagger) specification

which the Kubernetes API does.

Source: Google Cloud Documentation

"Calling a Third-Party API"

Section: "About integrating with third-party APIs".

3. Google Cloud Community Tutorials - Automating GKE cluster and application deployment with Deployment Manager: This tutorial provides a step-by-step example of the exact process described in the correct answer. It shows creating a GKE cluster

then using its endpoint to create a Type Provider

and finally using that provider to deploy a Kubernetes application.

Source: Google Cloud Community Tutorials

"Automating GKE cluster and application deployment with Deployment Manager"

Sections: "Creating the Deployment Manager configuration" and "Creating the Kubernetes type provider".

This scenario describes a standard cross-project resource sharing pattern on Google Cloud. The most secure and manageable approach is for the entity requiring access (the partner) to create and manage their own identity. The partner creates a service account in their project, which they control. They then provide the service account's unique email address to you. As the owner of the BigQuery dataset, you grant the necessary IAM role (e.g., BigQuery Data Viewer) to that specific service account on your dataset. This adheres to the principle of least privilege and proper separation of concerns, where each party manages their own resources and identities.

A. Creating the service account in your project requires you to manage its lifecycle and securely share its credentials (keys) with the partner, which is a security risk and an anti-pattern.

B. This is illogical. The service account needs access to the BigQuery dataset in your project, not to resources in the partner's project.

C. The partner granting their service account access to their own project does not confer any permissions to access resources, like your dataset, in a different project.

1. Google Cloud Documentation

BigQuery

"Control access to datasets": In the section "Grant access to a dataset

" the procedure describes adding a "principal" to the dataset's IAM policy. A principal can be a "service account

" and its email address format ([email protected]) inherently allows for granting access to a service account from a different project. This document outlines the exact procedure described in the correct answer.

2. Google Cloud Documentation

IAM

"Overview of IAM": This document explains the core IAM concepts. It defines a "principal" as an identity that can be granted access to a resource. It states

"A principal can be a Google Account... a service account

a Google group

or a Google Workspace... that needs access to a Google Cloud resource." This confirms that a service account from the partner's project is a valid principal to which you can grant access.

3. Google Cloud Documentation

IAM

"Service accounts overview": This page clarifies that "Service accounts are principals in IAM policies" and are "identified by their email address

which is unique to the account." This supports the method of the partner providing their unique service account email for you to add to your dataset's IAM policy.